openstack/neutron-vpnaas
Code Issues Proposed changes

Merge "Set owner to root for ipsec.secrets for LibreSwan"

Browse Source
This commit is contained in:
Jenkins 2015-09-15 01:08:04 +00:00 committed by Gerrit Code Review
commit 8d9a49a1e0
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/neutron/rootwrap.d/vpnaas.filters
View File

@ -14,3 +14,4 @@ ipsec: CommandFilter, ipsec, root
strongswan: CommandFilter, strongswan, root strongswan: CommandFilter, strongswan, root
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
chown: CommandFilter, chown, root

8
neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
View File

@ -60,6 +60,14 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
Initialise the nssdb, otherwise pluto daemon will fail to run. Initialise the nssdb, otherwise pluto daemon will fail to run.
""" """
super(LibreSwanProcess, self).ensure_configs() super(LibreSwanProcess, self).ensure_configs()
# LibreSwan uses the capabilities library to restrict access to
# ipsec.secrets to users that have explicit access. Since pluto is
# running as root and the file has 0600 perms, we must set the
# owner of the file to root.
secrets_file = self._get_config_filename('ipsec.secrets')
self._execute(['chown', 'root:root', secrets_file])
# Load the ipsec kernel module if not loaded # Load the ipsec kernel module if not loaded
self._execute([self.binary, '_stackmanager', 'start']) self._execute([self.binary, '_stackmanager', 'start'])
# checknss creates nssdb only if it is missing # checknss creates nssdb only if it is missing

16
neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
View File

@ -993,22 +993,28 @@ class TestLibreSwanProcess(base.BaseTestCase):
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock() openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute: with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
self.ipsec_process.ensure_configs() self.ipsec_process.ensure_configs()
expected = [mock.call(['ipsec', '_stackmanager', 'start']), expected = [mock.call(['chown', 'root:root',
self.ipsec_process._get_config_filename(
'ipsec.secrets')]),
mock.call(['ipsec', '_stackmanager', 'start']),
mock.call(['ipsec', 'checknss', mock.call(['ipsec', 'checknss',
self.ipsec_process.etc_dir])] self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected) fake_execute.assert_has_calls(expected)
self.assertEqual(2, fake_execute.call_count) self.assertEqual(3, fake_execute.call_count)
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute: with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
fake_execute.side_effect = [None, RuntimeError, None] fake_execute.side_effect = [None, None, RuntimeError, None]
self.ipsec_process.ensure_configs() self.ipsec_process.ensure_configs()
expected = [mock.call(['ipsec', '_stackmanager', 'start']), expected = [mock.call(['chown', 'root:root',
self.ipsec_process._get_config_filename(
'ipsec.secrets')]),
mock.call(['ipsec', '_stackmanager', 'start']),
mock.call(['ipsec', 'checknss', mock.call(['ipsec', 'checknss',
self.ipsec_process.etc_dir]), self.ipsec_process.etc_dir]),
mock.call(['ipsec', 'initnss', mock.call(['ipsec', 'initnss',
self.ipsec_process.etc_dir])] self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected) fake_execute.assert_has_calls(expected)
self.assertEqual(3, fake_execute.call_count) self.assertEqual(4, fake_execute.call_count)
class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy): class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):